The initial release contained every amateurish security hole in the book. The errors were the sort of one might see in a WordPress plugin written by someone with three months PHP experience. I wouldn't call those a 'TODO' since I can't even write a basic PHP or Django page without doing the basics like sanitizing going towards the database or making sure the user owns a photo before deleting it. The fact that the Diaspora team didn't do any of that shows that they had precious little experience. Not sure why anyone would want to build upon something written by absolute amateurs - in the past, that is how the world ended up with WordPress and PHP.